Convert String to Dictionary question

[Jason Orendorff]

Brian Kelley writes:
> n.b. pickle and cPickle also use eval to convert representations of 
> string values into python strings so security is not a valid reason to 
> choose one over the other, yet...

I dunno, let's compare them:

  1.  pickle/cPickle
      There is a small but nonzero possibility of a yet-unknown flaw
      in either
      (a) either pickle.Unpickler._is_string_secure()
          (which I doubt, having checked the function myself) or
      (b) the cPickle equivalent
          (which I have also checked), or
      (b) the way eval() evaluates string literals
          (which might have been noticed before now).
      The chance that this hypothetical flaw might constitute a
      security hole is even smaller but still nonzero.

  2.  eval()
      Well-known gaping security hole.

It seems to me that security is a compelling reason to choose
pickle() over eval().  Am I wrong?

## Jason Orendorff    http://www.jorendorff.com/